Kaspersky to sue US Department of Homeland Security over software ban

Officials predict the suit will go nowhere

Kaspersky Lab filed a lawsuit against the US government for banning its software. The Department of Homeland Security issued a directive last September requiring all departments and agencies to replace the security suite within three months.

The directive allows 30 days to identify any government systems that use Kaspersky, 60 days to come up with a plan for eliminating the software, and 90 days to start uninstalling it.

Additionally, President Trump just this month approved a spending bill prohibiting the use of Kaspersky anti-virus products on federal government machines.

The shakeup occurred when allegations that the Russian government had compromised its software code surfaced. This claim led to the security firm being removed from a list of approved federal vendors back in July. Then in September, the DHS officially issued a directive to have the software removed from government systems.

HomeSec issued a statement justifying a ban on the software.

“The department is concerned about the ties between certain Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks. The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates US national security.”

The ban itself is not particularly damaging to Kaspersky considering the small number of federally owned computers that use the company’s anti-virus software. According to Reuters, the total in lost revenue from the ban is around $54,000, which is only 0.03 percent of its total US sales. However, the directive is thought to have prompted other US stores such as Best Buy to drop the product. How much this has cost the company is unclear, but Kaspersky is not going down without a fight.

The firm announced in an open letter that it would be challenging the DHS decision in federal court. It is suing on the grounds that Binding Operational Directive 17-01 was unjust in that it did not provide the company “adequate due process,” and based its decision on unsubstantiated allegations.

“DHS failed to provide Kaspersky Lab with adequate due process and relied primarily on subjective, non-technical public sources like uncorroborated and often anonymously sourced media reports and rumors in issuing and finalizing the Directive.”

The company alleges that the DHS has harmed its business without providing any evidence of its alleged wrongdoing. Despite making what it terms as “good faith efforts” to address any concerns the US government might have about its product, the ban was instituted without the DHS allowing Kaspersky to explain its operations or defend itself against the allegations.

The company did not precisely state what it was seeking in the lawsuit, only saying that it was looking to protect its rights under the US Constitution and that it wants reparations for the "reputational and commercial damage" it has received from the ban.

It is not likely the suit will result in a win. Since the ban was a policy measure, it is not expected a US court would support a commercial business suing to dictate government policy.

Additionally, US officials have indicated that even a review of the source code is not likely to change the policy since many government agencies such as the Pentagon already prohibited the software for some time. Directive 17-01 only broadened existing military policy to apply to civilian government agencies.